Text available at http://www.phpsecure.org/tutos/webchat.1-5.xoops.rc3.sql.injection.txt Patch available on phpsecure.org XOOPS RC3 WebChat Module SQL Injection Tested with : Xoops RC3 WebChat 1-5 Author : val2 - phpsecure.org for more info and ~patchs~ Lines 291-299 from modules/WebChat/index.php : if(isset($roomid)) { if($xoopsUser) { $wcusername = $xoopsUser->getVar("uname", "E"); $uid = $xoopsUser->getVar("uid", "E"); } join_room($roomid,$pass,$wcusername,$uid); /* <- calling joinroom function with param $roomid */ } else { disp_index($errmsg); } Lines 204-208 : function join_room($roomid,$pass,$username,$uid) { global $xoopsDB, $xoopsUser, $xoopsConfig, $ModName, $user, $sitename, $pnconfig, $language, $usertime; unset($errmsg); $sql = "SELECT rid, name, typ, pass, descript FROM ".$xoopsDB->prefix("chatroom")." WHERE rid = $roomid"; $row = mysql_fetch_array(mysql_query($sql)); [...] PROBLEM : $roomid id is included whitout verification. PATCH : add this line a the beginning of index.php or download PATCH from phpsecure.org : $roomid = addslashes($roomid); If you're paranoiac, shutdown your box and wait for an official release ;) EXPLOIT : You're a PHP/SQL g00r00, you don't need an exploit :p MORE PATCHS ! www.phpsecure.org MORE HOLES ! www.phpsecure.org
